Skip to content

Commit bddd3f0

Browse files
author
Aaron Lehmann
authored
Merge pull request moby#1598 from cyli/wal-snapshot-wrapper
At rest encryption: TLS keys and wrappers around the etcd wal/snap packages
2 parents 0089035 + 31b94a7 commit bddd3f0

47 files changed

Lines changed: 5882 additions & 1746 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

api/ca.pb.go

Lines changed: 424 additions & 32 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

api/ca.proto

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ service CA {
1313
rpc GetRootCACertificate(GetRootCACertificateRequest) returns (GetRootCACertificateResponse) {
1414
option (docker.protobuf.plugin.tls_authorization) = { insecure: true };
1515
};
16+
// GetUnlockKey returns the current unlock key for the cluster for the role of the client
17+
// asking.
18+
rpc GetUnlockKey(GetUnlockKeyRequest) returns (GetUnlockKeyResponse) {
19+
option (docker.protobuf.plugin.tls_authorization) = { roles: ["swarm-manager"] };
20+
};
1621
}
1722

1823
service NodeCA {
@@ -55,3 +60,10 @@ message GetRootCACertificateRequest {}
5560
message GetRootCACertificateResponse {
5661
bytes certificate = 1;
5762
}
63+
64+
message GetUnlockKeyRequest {}
65+
66+
message GetUnlockKeyResponse {
67+
bytes unlock_key = 1;
68+
Version version = 2 [(gogoproto.nullable) = false];
69+
}

api/control.pb.go

Lines changed: 193 additions & 154 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

api/control.proto

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -313,12 +313,17 @@ message ListClustersResponse {
313313
repeated Cluster clusters = 1;
314314
}
315315

316-
message JoinTokenRotation {
317-
// RotateWorkerToken tells UpdateCluster to rotate the worker secret.
318-
bool rotate_worker_token = 1;
316+
// KeyRotation tells UpdateCluster what items to rotate
317+
message KeyRotation {
318+
// WorkerJoinToken tells UpdateCluster to rotate the worker secret token.
319+
bool worker_join_token = 1;
320+
321+
// ManagerJoinToken tells UpdateCluster to rotate the manager secret token.
322+
bool manager_join_token = 2;
323+
324+
// ManagerUnlockKey tells UpdateCluster to rotate the manager unlock key
325+
bool manager_unlock_key = 3;
319326

320-
// RotateManagerSecret tells UpdateCluster to rotate the manager secret.
321-
bool rotate_manager_token = 2;
322327
}
323328

324329
message UpdateClusterRequest {
@@ -331,8 +336,8 @@ message UpdateClusterRequest {
331336
// Spec is the new spec to apply to the cluster.
332337
ClusterSpec spec = 3;
333338

334-
// Rotation contains flags for join token rotation
335-
JoinTokenRotation rotation = 4 [(gogoproto.nullable) = false];
339+
// Rotation contains flags for join token and unlock key rotation
340+
KeyRotation rotation = 4 [(gogoproto.nullable) = false];
336341
}
337342

338343
message UpdateClusterResponse {

api/objects.pb.go

Lines changed: 143 additions & 76 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

api/objects.proto

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -230,6 +230,13 @@ message Cluster {
230230
// be honored. It's a mapping from CN -> BlacklistedCertificate.
231231
// swarm. Their certificates should effectively be blacklisted.
232232
map<string, BlacklistedCertificate> blacklisted_certificates = 8;
233+
234+
// UnlockKeys defines the keys that lock node data at rest. For example,
235+
// this would contain the key encrypting key (KEK) that will encrypt the
236+
// manager TLS keys at rest and the raft encryption keys at rest.
237+
// If the key is empty, the node will be unlocked (will not require a key
238+
// to start up from a shut down state).
239+
repeated EncryptionKey unlock_keys = 9;
233240
}
234241

235242
// Secret represents a secret that should be passed to a container or a node,

api/specs.pb.go

Lines changed: 151 additions & 104 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

api/specs.proto

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -323,6 +323,9 @@ message ClusterSpec {
323323

324324
// TaskDefaults specifies the default values to use for task creation.
325325
TaskDefaults task_defaults = 7 [(gogoproto.nullable) = false];
326+
327+
// EncryptionConfig defines the cluster's encryption settings.
328+
EncryptionConfig encryption_config = 8 [(gogoproto.nullable) = false];
326329
}
327330

328331
// SecretSpec specifies a user-provided secret.

0 commit comments

Comments
 (0)